From c3b7a486112c41da208bdd7b15abb70012ceaa85 Mon Sep 17 00:00:00 2001
From: Per Goncalves da Silva <perdasilva@redhat.com>
Date: Wed, 17 Aug 2022 11:02:00 +0200
Subject: [PATCH 1/2] Update magic catalog for psa changes (#2842)

Signed-off-by: perdasilva <perdasilva@redhat.com>
Upstream-repository: operator-lifecycle-manager
Upstream-commit: 69fe29482ab0caa8e1674d5bcb8f8213313158a0
---
 .../test/e2e/magic_catalog.go                    | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/staging/operator-lifecycle-manager/test/e2e/magic_catalog.go b/staging/operator-lifecycle-manager/test/e2e/magic_catalog.go
index 1067f8543a..4397162eab 100644
--- a/staging/operator-lifecycle-manager/test/e2e/magic_catalog.go
+++ b/staging/operator-lifecycle-manager/test/e2e/magic_catalog.go
@@ -11,6 +11,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/utils/pointer"
 	k8scontrollerclient "sigs.k8s.io/controller-runtime/pkg/client"
 )
 
@@ -259,8 +260,6 @@ func (c *MagicCatalog) makeCatalogSourcePod() *corev1.Pod {
 		volumeMountName string = "fbc-catalog"
 	)
 
-	readOnlyRootFilesystem := false
-
 	return &corev1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      c.podName,
@@ -268,6 +267,11 @@ func (c *MagicCatalog) makeCatalogSourcePod() *corev1.Pod {
 			Labels:    c.makeCatalogSourcePodLabels(),
 		},
 		Spec: corev1.PodSpec{
+			SecurityContext: &corev1.PodSecurityContext{
+				SeccompProfile: &corev1.SeccompProfile{
+					Type: corev1.SeccompProfileTypeRuntimeDefault,
+				},
+			},
 			Containers: []corev1.Container{
 				{
 					Name:    "catalog",
@@ -304,7 +308,13 @@ func (c *MagicCatalog) makeCatalogSourcePod() *corev1.Pod {
 						},
 					},
 					SecurityContext: &corev1.SecurityContext{
-						ReadOnlyRootFilesystem: &readOnlyRootFilesystem,
+						ReadOnlyRootFilesystem:   pointer.Bool(false),
+						AllowPrivilegeEscalation: pointer.Bool(false),
+						Capabilities: &corev1.Capabilities{
+							Drop: []corev1.Capability{"ALL"},
+						},
+						RunAsNonRoot: pointer.Bool(true),
+						RunAsUser:    pointer.Int64(1001),
 					},
 					ImagePullPolicy:          corev1.PullAlways,
 					TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,

From a0659a66def73c76642c96d573432ba9de1a0599 Mon Sep 17 00:00:00 2001
From: Per Goncalves da Silva <perdasilva@redhat.com>
Date: Wed, 17 Aug 2022 15:39:34 +0200
Subject: [PATCH 2/2] Update skopeo pod for psa (#2844)

Signed-off-by: perdasilva <perdasilva@redhat.com>
Upstream-repository: operator-lifecycle-manager
Upstream-commit: d9908b4278db30855473ff9abfb4ea25255c26ab
---
 .../operators/olm/downstream_csv_labeler.go   | 61 +++++++++++++++++++
 .../test/e2e/skopeo.go                        | 15 +++++
 .../operators/olm/downstream_csv_labeler.go   | 61 +++++++++++++++++++
 3 files changed, 137 insertions(+)
 create mode 100644 staging/operator-lifecycle-manager/pkg/controller/operators/olm/downstream_csv_labeler.go
 create mode 100644 vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/operators/olm/downstream_csv_labeler.go

diff --git a/staging/operator-lifecycle-manager/pkg/controller/operators/olm/downstream_csv_labeler.go b/staging/operator-lifecycle-manager/pkg/controller/operators/olm/downstream_csv_labeler.go
new file mode 100644
index 0000000000..d1105f5c9a
--- /dev/null
+++ b/staging/operator-lifecycle-manager/pkg/controller/operators/olm/downstream_csv_labeler.go
@@ -0,0 +1,61 @@
+package olm
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/operator-framework/api/pkg/operators/v1alpha1"
+	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/operatorclient"
+	"github.com/sirupsen/logrus"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+const labelSyncerLabelKey = ""
+
+func NewCSVLabelSyncerLabeler(client operatorclient.ClientInterface, logger *logrus.Logger) *CSVLabelSyncerLabeler {
+	return &CSVLabelSyncerLabeler{
+		client: client,
+		logger: logger,
+	}
+}
+
+type CSVLabelSyncerLabeler struct {
+	client operatorclient.ClientInterface
+	logger *logrus.Logger
+}
+
+func (c *CSVLabelSyncerLabeler) OnAddOrUpdate(csv *v1alpha1.ClusterServiceVersion) error {
+	// ignore copied csvs
+	if csv.IsCopied() {
+		return nil
+	}
+
+	// ignore csv updates
+	if csv.Status.LastTransitionTime != nil {
+		return nil
+	}
+
+	namespace, err := c.client.KubernetesInterface().CoreV1().Namespaces().Get(context.Background(), csv.GetNamespace(), metav1.GetOptions{})
+	if err != nil {
+		return fmt.Errorf("error getting csv namespace (%s) for label sync'er labeling", csv.GetNamespace())
+	}
+
+	// add label sync'er label if it does not exist
+	if _, ok := namespace.Labels[labelSyncerLabelKey]; !ok {
+		nsCopy := namespace.DeepCopy()
+		nsCopy.Labels[labelSyncerLabelKey] = "true"
+		if _, err := c.client.KubernetesInterface().CoreV1().Namespaces().Update(context.Background(), namespace, metav1.UpdateOptions{}); err != nil {
+			return fmt.Errorf("error updating csv namespace (%s) with label sync'er label", nsCopy.GetNamespace())
+		}
+
+		if c.logger != nil {
+			c.logger.Printf("[CSV LABEL] applied %s=true label to namespace %s", labelSyncerLabelKey, nsCopy.GetNamespace())
+		}
+	}
+
+	return nil
+}
+
+func (c *CSVLabelSyncerLabeler) OnDelete(_ *v1alpha1.ClusterServiceVersion) error {
+	return nil
+}
diff --git a/staging/operator-lifecycle-manager/test/e2e/skopeo.go b/staging/operator-lifecycle-manager/test/e2e/skopeo.go
index 047d7285e3..a7d3c69e9d 100644
--- a/staging/operator-lifecycle-manager/test/e2e/skopeo.go
+++ b/staging/operator-lifecycle-manager/test/e2e/skopeo.go
@@ -6,6 +6,7 @@ import (
 	"os/exec"
 
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/operatorclient"
+	"k8s.io/utils/pointer"
 
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -81,11 +82,25 @@ func createSkopeoPod(client operatorclient.ClientInterface, args []string, names
 			Labels:    map[string]string{"name": skopeo},
 		},
 		Spec: corev1.PodSpec{
+			SecurityContext: &corev1.PodSecurityContext{
+				SeccompProfile: &corev1.SeccompProfile{
+					Type: corev1.SeccompProfileTypeRuntimeDefault,
+				},
+			},
 			Containers: []corev1.Container{
 				{
 					Name:  skopeo,
 					Image: skopeoImage,
 					Args:  args,
+					SecurityContext: &corev1.SecurityContext{
+						ReadOnlyRootFilesystem:   pointer.Bool(false),
+						AllowPrivilegeEscalation: pointer.Bool(false),
+						Capabilities: &corev1.Capabilities{
+							Drop: []corev1.Capability{"ALL"},
+						},
+						RunAsNonRoot: pointer.Bool(true),
+						RunAsUser:    pointer.Int64(1001),
+					},
 				},
 			},
 			RestartPolicy: corev1.RestartPolicyNever,
diff --git a/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/operators/olm/downstream_csv_labeler.go b/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/operators/olm/downstream_csv_labeler.go
new file mode 100644
index 0000000000..d1105f5c9a
--- /dev/null
+++ b/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/operators/olm/downstream_csv_labeler.go
@@ -0,0 +1,61 @@
+package olm
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/operator-framework/api/pkg/operators/v1alpha1"
+	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/operatorclient"
+	"github.com/sirupsen/logrus"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+const labelSyncerLabelKey = ""
+
+func NewCSVLabelSyncerLabeler(client operatorclient.ClientInterface, logger *logrus.Logger) *CSVLabelSyncerLabeler {
+	return &CSVLabelSyncerLabeler{
+		client: client,
+		logger: logger,
+	}
+}
+
+type CSVLabelSyncerLabeler struct {
+	client operatorclient.ClientInterface
+	logger *logrus.Logger
+}
+
+func (c *CSVLabelSyncerLabeler) OnAddOrUpdate(csv *v1alpha1.ClusterServiceVersion) error {
+	// ignore copied csvs
+	if csv.IsCopied() {
+		return nil
+	}
+
+	// ignore csv updates
+	if csv.Status.LastTransitionTime != nil {
+		return nil
+	}
+
+	namespace, err := c.client.KubernetesInterface().CoreV1().Namespaces().Get(context.Background(), csv.GetNamespace(), metav1.GetOptions{})
+	if err != nil {
+		return fmt.Errorf("error getting csv namespace (%s) for label sync'er labeling", csv.GetNamespace())
+	}
+
+	// add label sync'er label if it does not exist
+	if _, ok := namespace.Labels[labelSyncerLabelKey]; !ok {
+		nsCopy := namespace.DeepCopy()
+		nsCopy.Labels[labelSyncerLabelKey] = "true"
+		if _, err := c.client.KubernetesInterface().CoreV1().Namespaces().Update(context.Background(), namespace, metav1.UpdateOptions{}); err != nil {
+			return fmt.Errorf("error updating csv namespace (%s) with label sync'er label", nsCopy.GetNamespace())
+		}
+
+		if c.logger != nil {
+			c.logger.Printf("[CSV LABEL] applied %s=true label to namespace %s", labelSyncerLabelKey, nsCopy.GetNamespace())
+		}
+	}
+
+	return nil
+}
+
+func (c *CSVLabelSyncerLabeler) OnDelete(_ *v1alpha1.ClusterServiceVersion) error {
+	return nil
+}